https://bugzilla.mindrot.org/show_bug.cgi?id=2408
[email protected] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- CC| |[email protected] --- Comment #16 from [email protected] --- Hi, I took a look at the original patch proposed by György and sources of 7.6 release. While the proposed patches expose auth info to PAM for session and accounting modules, reading OPs sources and his use case (https://cern-cert.github.io/pam_2fa/) I recon that the proposed patch does not solve OPs problem. The initial idea behind this patch was to allow PAM to detect successful authentication performed by openssh own methods and decide which additional authentication methods were required. The design was to allow users to log-in using PAM keyboard-interactive (passwd, mysql, ldap, whatever) getting a proper password prompt and 2FA (google, yubico, whatever) or using openssh own mechanism (pubkey, gssapi), avoid password prompt and jump directly to 2FA prompt. This use case requires exposure of SSH_AUTH_INFO within auth module, not session or accounting. Could György please comment on that? Best, Radek -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
